The Weekly Breach Breakdown Podcast by ITRC - Rocky Mountain High - S3E27

Show Transcript

Rocky Mountain High

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for October 7, 2022. Each week, we look at the most recent events and trends related to data security and privacy. This week, we discuss the proposed regulations supporting a new state privacy law – in a state that isn’t named California. It is the Colorado privacy law.

The Golden State started the trend of adopting strict state privacy laws in the absence of a national law protecting consumer information. The California Consumer Privacy Act (CCPA) was passed in 2018 and later upgraded by voters in 2020 to the California Privacy Rights Act (CPRA). That law will go into effect in 2023.

New Colorado Privacy Law

However, California isn’t the only state that starts with C that has passed a state privacy law that gives consumers more say over how their personal information is collected and used. So has Colorado, whose law also goes into effect in the middle of the new year.

Proposed Rules to Comply with Colorado Privacy Law

As is typical when a legislature passes a law, that is not the end of the story. Regulations are needed to make the new law operable in many cases. That is the case in Colorado, where the Attorney General (AG) has released proposed rules that businesses must follow to comply with the Colorado privacy law. Three key areas stand out as being fundamentally different from the approaches taken in other states: 

1. Colorado is proposing to structure required privacy notices around the reason or purpose of collecting and using information. Other states - California, for example - require notices to be built around the type of information collected and used.
2. The drafted regulations create a new category of sensitive personal information known as “Sensitive Data Inferences.” That means using data to infer a person's racial or ethnic origin, religious beliefs; mental or physical health condition or diagnosis; sex life or sexual orientation; or citizenship status”. Sensitive Data Inferences can only be used in limited circumstances and must be deleted within 12 hours of collection under the proposed rules.
3. The third area that makes these proposed regulations interesting is a specific section that requires organizations to follow good data minimization practices. If approved, businesses and other groups subject to the law will be required to create data retention and deletion schedules to ensure they do not collect more information than is needed and that it is not kept longer than necessary. This is a key component to reducing identity compromises: you can’t lose control of the information you don’t have.

How Colorado Residents Can Learn More and Get Involved

Residents of Colorado and other interested parties have until November 7 to submit written comments about the proposed regulations in the Colorado privacy law. You can also attend one of three virtual meetings on November 10, 15 or 17. If you want to review the regulations or find out how to provide feedback on the Colorado privacy law, visit the Colorado AG’s website at COAG.gov and search for the Colorado Privacy Act.

Contact the ITRC

If you want to learn how to protect your personal information or think you have been the victim of an identity crime, visit our website www.idtheftcenter.org. You can also speak with an expert advisor on the phone (888.400.5530), chat live on the web, or exchange emails during our normal business hours (Monday-Friday, 6 a.m.-5 p.m. PST). 

Next week, we will release the analysis of the data breaches reported in the third quarter of this year. There is some interesting information buried in that data, and we’ll dig it out and serve it to you on the next episode of the Weekly Breach Breakdown.